Spring Security SAML Implementation

Suresh J picture Suresh J · Aug 27, 2014 · Viewed 14.6k times · Source

I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.

So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.

IDP connects with LDAP server. I am able to execute the Spring security sample application.

I am confused how can i use this Spring security SAML extension along with multiple spring projects.

Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.

Answer

Vladimír Schäfer picture Vladimír Schäfer · Sep 24, 2014

Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.

Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.

In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.

It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:

  • after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
  • this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
  • the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie

All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.